KubeCon 2017 Recap: Community, Service Meshes, and Security

“Keep Cloud Native Weird.” That was the motto of KubeCon + CloudNativeCon 2017, which I had the opportunity to attend last week in Austin. With the conference attracting more than 4,100 participants, hundreds of technical sessions, new project announcements, and key updates on existing initiatives, it is clear that the cloud native computing revolution continues to accelerate. Here are some of the highlights I found most interesting.

KubeCon welcome mural

KubeCon motto

Kubernetes Takes Off in the Enterprise

I kicked off the week at the Red Hat OpenShift Commons Gathering, where a group of enterprises gathered to share how Kubernetes is helping them tackle the biggest challenges related to digital transformation. Organizations like Telus Digital, NTT Labs, and Rackspace presented on use cases such as continuous delivery, hybrid cloud, and workload consolidation – all enabled with Red Hat OpenShift.

Openshift overview at Commons Gathering

Upstream Kubernetes panel

.gov OpenShift panel

Red Hat talked about their efforts to make Kubernetes increasingly stable and reliable for broader enterprise deployments. A panel of leaders from Red Hat, Google, and Microsoft shared their thoughts on the direction of upstream Kubernetes, analogizing it to a rocket ship. Additionally, a .gov panel brought together IT leaders from U.S. Treasury, U.S. Courts, U.S. Citizenship and Immigration Services, and Oak Ridge National Laboratory to discuss the role of OpenShift in modernizing their application environments.

A Community Leaps Forward

This year’s KubeCon was the biggest one yet. At his morning keynote, Dan Kohn, Executive Director of the Cloud Native Computing Foundation (CNCF), emphasized how much the Kubernetes ecosystem has grown. The CNCF has fostered an open, inclusive community of builders that, in just the past two years, has grown to 4,100+ attendees, from a single CNCF initial project (Kubernetes) to 14 projects, to 150+ members, 29 end user organizations, and 25 Kubernetes-certified service providers. By some measures, Kubernetes is now the second biggest open source project of all time, second only to Linux.

Red Hat talked about Kubernetes finally maturing to the point of being “boring.” And Alibaba Cloud talked about how they use Kubernetes at large scale. Key end-user organizations took the stage to talk about how Kubernetes has changed their entire businesses. For example, HBO emphasized how it uses Kubernetes to power the delivery of Game of Thrones.

HBO engineers talking about Kubernetes

Kubernetes’ scalability helps service HBO traffic

Netflix stressed how cloud native principles underlie a culture of continuous software delivery. GitHub talked about how it already runs 20% of its services, including github.com, in production on Kubernetes.

Netflix presenting on cloud native continuous delivery

GitHub keynote slide

It’s More Than Just Kubernetes

Two years ago, the CNCF was home to just a single project: Kubernetes. Today it is now the steward of 14 projects. The CNCF landscape now has hundreds of projects, products, and companies that span the entire stack. Existing CNCF projects continue to mature quickly: containerd, fluentd, CoreDNS, and Jaeger all announced their v1.0.0 releases last week. Chen Goldberg, Director of Engineering at Google Cloud, presented on how the “superpower” of Kubernetes is that it is much more than just container orchestration. It provides extensibility for new types of services. Craig McLuckie, CEO and co-founder of Heptio and co-founder of Kubernetes, gave a shout-out to StackRox as an example of a company driving security innovation on top of Kubernetes by taking advantage of its extensibility.

Kubernetes: more than orchestration

Kubernetes’ superpower: extensibility

Service Meshes Take Off

If there was one topic that set the entire community abuzz at KubeCon, it was service meshes. Service meshes were mentioned in just about every talk I attended throughout the week, and some went so far as to predict that 2018 would be “The Year of the Service Mesh.”

Istio roadmap

Istio architecture

Buoyant launched a new service mesh called Conduit, while a lot of focus remained on Istio and Envoy, and the benefits they provide when it comes to handling connectivity and monitoring of microservices at scale.

Threat Vectors and Attack Patterns in Kubernetes

Security was in the spotlight throughout last week, as several breakout sessions included presentations and demos of new threats in Kubernetes environments. Greg Castle and CJ Cullen, engineers on Google Cloud’s security team, showed three demos that encompassed privilege escalation, secrets misuse, and lateral movement within a Kubernetes cluster. In one example, they demoed how an attacker could start with a shell injection on a web-facing front end pod. This can allow an attacker to utilize a service account to extract secrets, then perform an unauthorized execution in a Kubernetes pod, and subsequently gain access to an API key for a payments service.

Google security team presentation

Demos of Kubernetes attacks

Next, a security researcher from Symantec demoed how a malicious user in Kubernetes could exfiltrate source code, keys, tokens, and credentials; gain root access to underlying cluster nodes; and quickly expand the blast radius of an attack to compromise services outside the container cluster.

Threats in Kubernetes environments

Potential Kubernetes attack vectors

Organizations using Kubernetes also talked about their approaches to security. Shopify highlighted the “security tiers” it uses to protect its Google Kubernetes Engine (GKE) clusters, and Databricks talked about the critical Kubernetes security concerns they have had to address through a combination of access control, secrets management, and audit logging.

Shoplify’s security tiers

Databricks’ security concerns

The focus on security for Kubernetes reflects the increasing need to address threats as organizations continue to scale up and run containerized applications in production.

From the sponsor showcase to salon talks to parties, a vibrant community made it clear that it is having a significant impact on the future of software. Thanks to the CNCF and broader Kubernetes community for putting on a fantastic show. Catch you at KubeCon in 2018!